The IDP sometime needs to send user attributes via SAML Attribute statements in the assertion, to a service provider. The IDP when running on JBoss AS can use the following:
- Set the Attribute Manager on the IDP to be org.picketlink.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager
<PicketLinkIDP AttributeManager="org.picketlink.identity.federation.bindings.jboss.attribute.JBossAppServerAttributeManager"> </PicketLinkIDP>
- Configure the security domain of the IDP to also include mapping configuration for attributes.
- Configure JBoss AS Attribute Mapping Provider that can interface with the ldap. This mapping provider should go in the security domain configuration. Reference: http://community.jboss.org/wiki/MappingRolesInJBossApplicationServerV5x (Remember, it is type=attribute on the mapping provider)
- The ldap mapping provider in JBAS is
org.jboss.security.mapping.providers.attribute.LdapAttributeMappingProvider
If you want to get a glimpse into the mapping provider configuration, look in https://community.jboss.org/wiki/PicketLinkSTSLoginModules
Comments